Hello, First off, forgive me if that has been discussed before. Has there been any thought given to using dns records queried from the IP of a host where puppet is installed? Reason I''m asking is we had an issue in which our fqdn got screwed up in /etc/hosts in the form of node.example instead of host.example.com and that led to the server signing the cert for the host (yeah bad, we use auto signing) as node.example which of course was not a valid host declared in sites. This is not a rant, just a question. Thanks for anyone who can shed any light on this. Cheers, Steph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 04/01/2011 08:23 PM, FRLinux wrote:> Hello, > > First off, forgive me if that has been discussed before. > > Has there been any thought given to using dns records queried from the > IP of a host where puppet is installed? Reason I''m asking is we had an > issue in which our fqdn got screwed up in /etc/hosts in the form of > node.example instead of host.example.com and that led to the server > signing the cert for the host (yeah bad, we use auto signing) as > node.example which of course was not a valid host declared in sites. > > This is not a rant, just a question. Thanks for anyone who can shed > any light on this.Hi, certification can be painful at times, but I don''t see the real problem you had with requesting a signature on a badly named cert? You can always just revoke it on the master and have your client issue a new CSR. Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Apr 4, 2011 at 9:50 AM, Felix Frank <felix.frank@alumni.tu-berlin.de> wrote:> certification can be painful at times, but I don''t see the real problem > you had with requesting a signature on a badly named cert? > > You can always just revoke it on the master and have your client issue a > new CSR.Hello, Thanks for your response, my point was more that if puppet relied on querying the FQDN for the box, it would request the right cert all the time. Cheers, Steph -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.